INTOSAI Members

Australia

The primary objective of the audit was to assess FaCS' (Department of Family and Community Services) management of the Internet portals for which it had responsibility as lead agency, www.youth.gov.au, www.community.gov.au, and www.families.gov.au. The ANAO also included in the audit a website directed towards youth. The source which provided many of the services expected of a portal. The audit considered governance structures for the portals; measurement of efficiency and effectiveness; and control factors, such as change management,security, and legal issues.

Quality Internet Services for Government Clients - Monitoring and Evaluation by Government AgenciesTabled: 20 February 2004

The objective of this audit was: to form an opinion on the adequacy of selected agencies' approaches to monitoring and evaluation of government programs and services delivered on the Internet; and to identify better practices and opportunities for improvement. In order to achieve this objective, the audit examined the websites and Internet-delivered services of five agencies.

The Australian Taxation Office's Collection and Management of Activity Statement InformationTabled:03 March 2004

The audit reviewed the ATO's collection and management of activity statement information. The audit paid particular regard to: the environment into which activity statements were introduced; taxpayer concerns with activity statement administration; the mechanisms the ATO uses to capture and process activity statements; the change processes the ATO uses to change and test activity statement IT systems; and the management methodology used to report on, and assess the performance of, activity statement related systems and processes.

Corporate Governance in the Australian Broadcasting Corporation - Follow-up AuditTabled:31 March 2004

In April 2002, the ANAO tabled Audit Report No.40 2001-02 'Corporate Governance in the Australian Broadcasting Corporation' ( the 2002 audit).. In August 2003, the ABC submitted a report to the Joint Committee of Public Accounts and Audit (JCPAA) on its progress in implementing the recommendations from the 2002 audit and the JCPAA report. This follow-up audit examined the ABC's implementation of recommendations from both reports, using the ABC's progress report as its base

Information Technology in the Department of Veterans' Affairs-Follow-up AuditTabled:15 June 2004

The objective of this audit was to follow up DVA's (Department of Veterans' Affairs) implementation of the recommendations in Audit Report No. 44, 2000-01, Information Technology in the Department of Veterans' Affairs. The ANAO made two recommendations in the report (the second having five parts). The recommendations addressed the monitoring of IT changes; IT performance information; information systems model documentation; and the facilitation of the interpretation of performance information.

The overall objective of the audit was to assess CrimTrac's progress in achieving the key deliverables it was established to provide, given that the agency had been in operation for some three years. The Australian Government provided $50 million for the implementation of CrimTrac, with an expectation that significant progress would be made within the first three years. The audit further examined whether CrimTrac had progressed the key deliverables efficiently and effectively, and whether the data either held by CrimTrac, or accessed through CrimTrac, for matching purposes is secure.

Control Structures as part of the Audit of Financial Statements of Major Australian Government Entities for the Year Ending 30 June 2004Tabled:30 June 2004

This report updates the ANAO's assessment of audit findings relating to major entity internal control structures, including governance arrangements, information systems and control procedures through to March 2004. The findings summarised in this report arise from the interim phase of the financial statement audits of major Australian Government entities for 2003/2004. Examinations of such findings are designed to assess the reliance that can be placed on control structures to produce complete, accurate and valid information for financial reporting purposes.

Medicare is Australia's universal health insurance scheme. Underpinning Medicare is one of Australia's largest and more complex computer databases the Medicare enrolment database. At the end of 2004 the Medicare enrolment database contained information on over 24 million individuals. This audit examines the quality of data stored on that database and how the Health Insurance Commission (HIC) manages the data.

Measuring the Efficiency and Effectiveness of E-GovernmentTabled: 10 February 2005

This audit was designed to identify the methods used by selected agencies to measure the efficiency and effectiveness of their delivery of services through the Internet, and to evaluate the adequacy of these methods. ANAO also identified better practices, lessons learned and opportunities for improvements.

This audit is a part of the ANAO's protective security audit coverage. The objective of this audit was to determine whether agencies audited had developed and implemented sound IT security management principles and practices supported by an IT security control framework, in accordance with Australian Government policies and guidelines. The audit at each agency examined the framework for the effective management and control of IT security, including the management of IT operational security controls and, where applicable, was based on the Australian Government protective security and information and communications technology (ICT) security guidelines that were current at that time.

The audit examined aspects of the integrity and management of customer data stored on ISIS. In particular, the audit considered measures of data accuracy, completeness and reliability. The scope of the audit also extended to aspects of Centrelink’s IT control environment - in particular, controls over data entry.

The objective of this performance audit was to assess whether DIMIA’s (Department of Immigration and Multicultural Affairs) information systems and business processes are effective in supporting APP to meet its border security and streamlined clearance objectives. In particular, the audit focused on the following: Mandatory APP - Stage 1 (MAPP1) project management; MAPP1 IT development and system performance; APP performance reporting; contract management; and financial management.

Internet Security in Australian Government AgenciesTabled 13 June 2006

The audit objective was to form an opinion on the adequacy of a select group of Australian Government agencies’ management of Internet security, including following-up on agencies’ implementation of recommendations from the ANAO’s 2001 audit. The agencies audited were Australian Customs Service (ACS), Australian Federal Police (AFP), Australian Radiation Protection and Nuclear Safety Agency (ARPANSA), Department of Employment and Workplace Relations (DEWR), Department of Industry, Tourism and Resources (DITR) and Medicare Australia. Factors considered in selecting agencies were agency size based on funding levels, whether the agency was included in ANAO’s 2001 audit (ACS, ARPANSA, and DEWR), whether the agency’s ICT was managed in-house or outsourced, and the nature of the agency’s website (that is, general or restricted access).

The objective of the audit was to review the operation of the ATO’s (Australian Taxation Office) Tax Agent and Business Portals. In conducting the audit the ANAO examined three key areas: governance – the governance arrangements supporting ongoing management of the Portals; portals development, user satisfaction and realisation of expected benefits – the ATO’s processes for involving users in developing the Tax Agent and Business Portals, assessing user satisfaction, and evaluating business benefits arising from uptake of the Portals; and information technology (IT) security and user access controls – the ATO’s IT security environment and user access controls supporting the operation of the Tax Agent and Business Portals.

Recordkeeping including the Management of Electronic RecordsTabled 12 October 2006

The objective of the audit was to assess the extent to which entities were meeting their recordkeeping responsibilities. In particular, the audit examined how effectively the entities were managing records that were created and stored electronically in corporate recordkeeping systems and in other electronic systems in accordance with recordkeeping requirements.

Management of an IT Outsourcing Contract - Follow-upTabled 05 December 2006

The objective of this follow-up audit was to assess the extent to which DVA (Department of Veterans' Affairs) had implemented the recommendations from the original audit during the period 2002–06, including in its preparation of the IT outsourcing contract which will operate from 2007

Modern electronic records and knowledge management techniques have allowed many organisations to identify opportunities for better performance. Some organisations are beginning to move to new approaches to recordkeeping. This transition is being assisted by recent developments in the recordkeeping profession in Australia and internationally. In this respect, the National Archives of Australia (National Archives) has developed, for example, e-permanencerecordkeeping standards for Commonwealth organisations.

The audit objective was, for selected organisations, to:

• assess whether recordkeeping policies, systems and procedures were in accordance with relevant Government policies, legislation, accepted standards and recordkeeping principles, and applicable organisational controls; and

The audit assessed whether Centrelink has effective Business Continuity Management and/or associated risk management procedures and plans in place that: minimise the likelihood of a significant business outage; and in the event of such an outage, minimise disruption of critical services to customers. The audit also assessed whether Centrelink services satisfy special community demands in times of emergency.

Control Structures as part of the Audit of Financial Statements of Major Commonwealth Entities for the Year Ending 30 June 2003

The report summarises audit findings relating to entity internal control structures arising out of the interim financial statement audits of 21 Major Commonwealth entities for the year ending 30 June 2003. The interim audit examinations seek to update the ANAO's assessment of the internal control environment of entities reviewed, so as to determine whether reliance can be placed on those control structures to produce complete, accurate and valid information for financial reporting purposes.

The objective of the audit was to report to Parliament on the progress Defence has made since June 2001 in implementing appropriate strategies for recruiting, developing and retaining skilled IT personnel. The audit focused on management of specialist information system skills and did not examine skills needed by users of information systems, although the latter is of obvious importance for overall performance.

The audit reviewed the Australian Taxation Office's fraud prevention and control arrangements in relation to the Goods and Services Tax. The audit objective was to assess whether the ATO has implemented administratively effective GST fraud control arrangements, consistent with the Commonwealth Fraud Control Guidelines.

The audit examined the management of computer software assets at four Commonwealth bodies. It focused on the capitalisation of software for the purposes of annual financial reporting. The specific objectives were to: determine whether the selected bodies had established effective internal control frameworks for the capitalisation of externally acquired and internally developed software; and assess whether software costs were capitalised in accordance with organisational policy, accounting standards and relevant legislation.

In January 2000, the ANAO published a Better Practice Guide (BPG) Business Continuity Management, Keeping the wheels in motion (the Guide). The Guide established that the objective of Business Continuity Management (BCM) is to ensure the uninterrupted availability of all key business resources required to support essential (or critical) business activities. This is achieved by organisations building resilience (controls and redundancy) into business operations to prevent, or minimise, the likelihood of business continuity risks occurring and, also, developing plans that minimise the impact should they occur. The primary objective of this audit was to examine BCM arrangements across four Commonwealth organisations, to assess whether their existing BCM frameworks ( or frameworks under development) exhibit the principles espoused in the Guide. At the Commonwealth - wide level, the ANAO considered the continuing relevance of the principles presented in the Guide.

The ANAO concluded that the principles espoused in the Guide remain relevant to Commonwealth organisations when considering business continuity risks. The Guide also continues to provide useful information to assist organisations to establish and maintain BCM frameworks, controls and plans.

Monitoring of Industry Development Commitments under the IT Outsourcing Initiative

The objective of the performance audit was to review the progress in the delivery of contractual commitments for Industry Development (ID) for the five contracts awarded under the IT Outsourcing Initiative. In particular, the audit examined the effectiveness of the monitoring by DCITA of achievement against contractual commitments for ID; assessed the impact of changes to the IT outsourcing environment on the management and monitoring of ongoing ID obligations; and identified practices that have improved administrative arrangements.

Management of e-Business in the Department of Education, Science and Training

The objective of the audit was to determine whether DEST has effective governance practices for its IT and e- Business; has adequate systems in place to measure the efficiency and effectiveness of its IT and e-Business; implements and maintains appropriate quality standards within its IT and e-Business systems; and implements proper controls, including risk management, to achieve maximum benefits from its IT and e- Business. The audit examined education and training services provided, or managed, by DEST via IT or the Internet.

Protective security involves the total concept of information, personnel, physical, information technology and telecommunications security. The Commonwealth's Protective Security policy is outlined in the Protective Security Manual (PSM). It provides specific guidance to agencies on the protection of the Commonwealth's assets, personnel and clients from potential security threats. This audit evaluated the protective security policies and practices of seven Commonwealth agencies to determine whether they had established an appropriate physical security control framework based on the principles outlined in Part E of the Commonwealth's Protective Security Manual. The ANAO also examined whether agencies had considered the risks of, and developed an appropriate policy statement on, the physical security arrangements for employees who work from home.

The objective of this performance audit was to examine and report on the selection of the preferred tenderer in the Health Group IT outsourcing process. In particular, the audit examined the circumstances surrounding OASITO's administration of the: disclosure to a tenderer of information provided by other tenderers; subsequent acceptance of a late re-pricing offer from a tenderer: and advice to the decision- maker leading to the selection of the preferred tenderer.

The ANAO reviewed arrangements for the development of the department's fraud policy, fraud risk assessment and fraud control plan within the core functional areas of the department that are responsible for these activities. The audit also examined the operational procedures and guidelines that were in place to implement the departments' fraud policy. The objective of the audit was to assess whether DVA has implemented appropriate fraud control arrangements in line with the Fraud Control Policy of the Commonwealth and whether these arrangements operate effectively in practice.

The overall objective of the audit was to determine whether Health's management and operation of selected IT systems: met industry better practice; met quality and service delivery parameters set by Health and, if applicable, by the Government; and operate effectively, efficiently and economically. The audit applied selected processes from CobiT (Control Objectives for Information and Related Technology) to assist with the assessment of key aspects of Health's management and operation of IT. The audit builds on ANAO's earlier IT audits using CobiT.

The Department of Veterans' Affairs (DVA) uses IT extensively in providing services to Australia's veteran and defence force communities. The audit reviewed DVA's management of its IT outsourcing contract. The audit considered DVA's planning to meet its strategic IT needs through the IT outsourcing contract, the provisions of the contract, contract administration, management of the impacts of the outsourced services on DVA's business and the outcomes of DVA's approach to the contract.

Recordkeeping is an essential enabler in any organisation’s corporate governance and critical to accountability. Just as for other governance elements such as financial management or audit, it needs to be strategically and professionally managed. The audit objective was to:

• assess whether organisations’ recordkeeping policies, systems and processes accord with requirements under the Archives Act 1983, with relevant government policies, and with accepted standards and recordkeeping principles; and

• identify better practices and recommend any improvements to organisations’ current arrangements.

In view of the significant level of investment by Commonwealth agencies in the implementation and production of FMISs, the ANAO, in conjunction with Gartner undertook a benchmarking study within the Commonwealth budget sector with the objective of determining and reporting on FMIS:

• implementation and production costs; and

• implementation timeframes.

Bermuda

Includes report of Management Control Systems Audit carried out on the Bermuda Post Office. The overall conclusion is that full implementation of the Point of Sale computer system should be pursued as a matter of urgency, and that until full and effective implementation is achieved, physical and clerical control over the storage and issuance of stamps needs strengthening.

The Government of Bermuda relies heavily on its computers and computer systems. The central computer systems, in particular, are crucial to its ongoing ability to function administratively and to provide services to the citizens of Bermuda.

The audit examined the computer environment, the main applications systems and the general computer related controls of the Government’s central computer systems. It focused particularly on entity-wide security, access controls, systems development and change controls, system software controls, segregation of duties, and service continuity arrangements. The controls were reviewed for appropriateness of purpose and design though, in many cases, the work did not extend to testing fully the operation and effectiveness of the controls.

Canada

We examined GOL activities of the three main departments that deal most often with Canadian citizens and businesses—Human Resources Development Canada, the Canada Customs and Revenue Agency, and Industry Canada. Our audit indicated progress in implementing the GOL initiative across government and highlighted a number of issues and challenges that could help the government to set its GOL priorities for 2005 and beyond.

The federal government still has serious difficulties managing large information technology (IT) projects, despite the existence of a framework of best practices that dates back to 1998. The audit found that only two of the seven large IT projects examined—My Account, My Business Account (Canada Revenue Agency), and 2006 Census Online (Statistics Canada)—met all the criteria for well-managed projects.

Five of the projects were allowed to proceed with a business case that was incomplete or out-of-date or contained information that could not be supported. The majority of projects examined were undertaken even though departments lacked the appropriate skills and experience to manage the projects or the capacity to use the system to improve the way they deliver their programs.

The federal government still has serious difficulties managing large information technology (IT) projects, despite the existence of a framework of best practices that dates back to 1998. The audit found that only two of the seven large IT projects examined—My Account, My Business Account (Canada Revenue Agency), and 2006 Census Online (Statistics Canada)—met all the criteria for well-managed projects.

Five of the projects were allowed to proceed with a business case that was incomplete or out-of-date or contained information that could not be supported. The majority of projects examined were undertaken even though departments lacked the appropriate skills and experience to manage the projects or the capacity to use the system to improve the way they deliver their programs.

The objective of the audit was to determine whether the government has put in place appropriate systems, policies, and practices to manage the quality of financial information for managers. This consisted of the following two parts:

determining whether departments have put in place financial systems, policies, and practices to provide managers with appropriate and reliable financial information; and

determining whether central agencies have put in place systems, policies, and practices to provide guidance to departments and to manage the overall quality of government financial information.

Audit revealed that the IT security standards that support the Government Security Policy were out-of-date and a plan to update them had yet to be completed. The security policy would not be fully effective without updated standards, setting out the minimum requirements that departments and agencies must meet. The standards are an essential tool for supporting appropriate IT security practices across government.

The Auditor General of Canada reported that the federal government is handling successfully the acquisition of two large information technology (IT) projects totalling $120 million. However, large projects still take too long to get under way. The Auditor General also points to potential savings in the acquisition of microcomputers and network equipment. More important, he warns that software products are an area of risk that requires action now.

Denmark

The report deals with the Danish Defence’s acquisition and commissioning of the DeMars IT system. The purpose of the report was to examine and evaluate whether the Defence’s acquisition of DeMars has been satisfactory and whether the Danish Defence has started using DeMars.

DeMars is intended to ensure effective planning, implementation and follow-up on the Defence’s activities. DeMars is a shared administrative system which includes all institutions of the Ministry of Defence, except three institutions which are using Navision. The DeMars project was completed in 2004. In terms of accounting, the project was completed at year-end 2004. In connection with the analysis, the NAOD involved the Ministry of Defence, Defence Command Denmark and the underlying authorities of the army, navy and air force.

In order to be able to fulfil the purpose of the examination, the NAOD considered the project accounts of DeMars and the commissioning of the system in several administrative areas. Finally, the examination deals with the data quality of DeMars, the training of its users and the preparation of management information on the basis of data in DeMars.

4/02 Effect of seven IT projects implemented in the state

2003

The report deals with the effect of state IT projects. The purpose of the report is to examine the preliminary studies serving as the basis for the development and implementation of the selected IT projects, including assessment of the establishment of objectives for the effects of the projects on institutional task management. The further purpose of the study is to assess the extent to which the selected projects fulfil the established objectives.

A central element in the NAOD examination is to extract good examples from the examined IT projects and establish general recommendations for carrying out state IT projects.

The report examines and assesses the extent and content of the analysis work carried out prior to the development of the IT projects. The study includes an assessment of whether, on the basis of the analysis, well-defined objectives for effectiveness have been established that can subsequently be tested, as well as whether the IT projects demonstrate the expected effects after being put into operation.

The report resulted in the establishment of eight recommendations for carrying out state IT projects. The recommendations are aimed at establishing objectives for the effects of the project in the preliminary study, the basis for decisions regarding initiation of project development and the concluding assessment.

This report examines and assesses public IT projects in Denmark. It is based on questionnaires that were used to examine each participating organisation’s four most significant ongoing or completed IT projects during the period 1997-1999. The examination covered 20 departments and 58 agencies, and 124 IT projects amounting to a total value of about DKK 4.5 billion.

The study examined the problems of delivering IT projects within budget and deadline, and delivering the originally specified functional requirements. It also examined the extent to which other countries experienced problems with public IT projects by comparing the results with similar examinations carried out in Sweden, Norway and Great Britain.

On the basis of this examination, the National Audit Office of Denmark published 10 overall recommendations aimed at increasing competence and reducing the extent of future problems in public IT projects. The recommendations addressed IT project organisation, management, planning and implementation.

This paper briefly outlines how the National Audit Office of Denmark has integrated the use if IT-tools in the audit products. The following subjects are considered in the paper: the IT products and their use (IDEA, NT auditor etc), statistical sampling, analysis of accounting information, audit of general IT-controls, IT-tools for benchmarking, access to data, process audit and lessons learned.

Estonia

The Tiger Leap program brought computers and Internet to the schools, but the implementation of the development plan of the Tiger Leap Plus program in 2001 to 2005 should create the preconditions for using ICT facilities as an integral part of the learning process in all Estonian schools. The SAO examined the implementation of measures envisaged in the Tiger Leap Plus development plan in 2001 and 2002, comparing data to the earlier periods where necessary.

Finland

The audit surveyed the development of online services in public administration in light of key objectives. It looked at how the work of different authorities and bodies has been coordinated and how projects have been initiated in developing online services and to what extent and on what grounds the state has allocated funds to projects involving online services. In addition to surveying current problems, the audit sought to draw attention to possible development recommendations.

The audit surveyed the development of online services in public administration in light of key objectives. It looked at how the work of different authorities and bodies has been coordinated and how projects have been initiated in developing online services and to what extent and on what grounds the state has allocated funds to projects involving online services. In addition to surveying current problems, the audit sought to draw attention to possible development recommendations.

The audit surveyed the development of online services in public administration in light of key objectives. It looked at how the work of different authorities and bodies has been coordinated and how projects have been initiated in developing online services and to what extent and on what grounds the state has allocated funds to projects involving online services. In addition to surveying current problems, the audit sought to draw attention to possible development recommendations.

This report is a summary of audits concerning physical data security which were conducted in theMinistry of Social Affairs and Health's administrative sector. The audits indicated deficiencies in the management of data security, fire safety and the protection of facilities. Some agencies and facilities had protection classifications which were open to interpretation and unclear.Serious damage to property did not come to light in the audit. The administrative sector has notsystematically reviewed data security observations and known data security threats, however.Written guidelines and different facilities' security classifications also needed to be developed andupdated. The State Audit Office has emphasized the importance of systematic risk assessment andthe effective flow of information in managing data security.

The mission of the Information Technology Services Department (ITSD) is to promote and enable the extensive adoption and use of IT in the Government; to enable individuals, businesses and the Government to interact easily and securely through the use of IT; and to promote the wider use of IT in the community.Audit has recently conducted a review on the various methods adopted by the ITSD to secure IT services. The audit has also examined how the ITSD plans and controls its IT manpower resources in the light of the Government’s vigorous outsourcing strategy.

India (Chair)

The Company, which decided to implement ERP solution, a state of the art technology, towards its IT re-engineering efforts and spent vast sums of money had failed to get full benefits of the system. This was a result of deficiencies in planning, monitoring, training and communication of the Company’s vision to all levels of the organisation, which led to delays, reliance on outside experts and lacunae in integration and implementation of the project. The Company also failed to comprehensively assess the risks and frame an effective mitigation strategy for the same. The system is working because of the expertise and involvement of individuals but improvements were not ingrained into all the relevant processes of the organisation as a whole. In order to complete all aspects of the re-engineering effort and exploit the full potential of the technology, the Company needs to focus on areas such as training, monitoring the processes and taking and analysing user feedback to plan and improve processes.

The billing system has poor general information technology controls especially regarding the security features such as access controls, passwords, login attempts and security breach reports. Thus the system was vulnerable to unauthorised access and data manipulation. The business rules in many cases were found to be improperly incorporated into the system along with insufficient application controls and validation checks resulting in revenue loss to the Board. Use of the system as an input to the management information system was virtually absent and there was poor coordination between the department of information technology/management information system and the user department. There is an urgent need to incorporate security controls and proper application controls through validation checks in the software. The Board should formulate and document an information technology policy to delineate the responsibilities and interaction between the department of information technology and the user departments.

The Directorate of Employment, West Bengal, through its network of Employment Exchanges, caters to the activities like registration of job seekers, renewal of registration and submission of list of eligible candidates to employers. Computerisation of 40 employment exchanges in the state was taken up along with network connectivity and the work was entrusted to the ET & TDC on turn key basis. However, even after spending Rs 6.52 crore, the computerised system installed in the employment exchanges have been lying inoperative for last 30 to 46 months owing to a default timer based lock implanted by the vendor, non completion of creation of data base, non installation of software due to abandonment of work by the vendor, largely frustrating the basic objective of the scheme. The application software also lacked in data processing and data manipulation controls. Absence of data disaster recovery strategy led to substantial data loss.

The online wide area networking system, had poor networking, operating, application and database security features and was hence vulnerable to unauthorized access and data/source code modification. These deficiencies had security implications in the absence of audit trails, system logs. Unauthorised business rule having bearing on the revenues of the Corporation was incorporated in the software. The database was not designed to capture critical data for grant of various concessions and validation checks were inadequate.

The Transport department had incurred an expenditure of Rs. 9.84 crore as of March 2003 on computerisation of its activities including registration of vehicles and allied services, calculation/collection of fees and road tax, issue of permits, etc. In absence of a formal IT strategy and supporting policies and procedures, the applications lacked essential internal controls and validation checks. In the absence of the integrated database at Headquarters as well as in the 10 zonal offices, the very purpose of computerization to provide an efficient and reliable OLTP or to provide one point service to the applicant of any zone at any of the zonal offices without undue inconvenience or harassment remained unachieved.

Though Government launched a unique and conceptually a good project to put e-governance into action to provide a large number of services to citizens on one-stop-shop basis, the project suffered from lack of transparency, inefficient and ineffective implementation largely due to unpreparedness of the participating departments and inadequate coordination. The network was exposed to serious risks of physical access controls and logical controls. The key data and huge volumes of cash pertaining to various departments had been left to the administration of private operator without adequate internal controls. Data integrity, reliability, and safety across the project were also inadequate.

Indian Customs Electronic Data Interchange System (ICES) envisages acceptance of Customs documents electronically and exchange of information electronically with other agencies involved in international trade. The audit revealed:

- that after nine years the project is far from complete- paragraph 2.5 (a)(i)

With a view to improve the efficiency and effectiveness of Direct Taxes administration and to create a database on its various aspects, a Comprehensive Computerisation programme was approved by the Government in October 1993.

This review broadly covers two main aspects -- (i) procurement policy and (ii) the computerisation programme with reference to the objectives and its implementation.

Controls in a computer information system reflect the policies, procedures, practices and organisational structures designed to provide reasonable assurance that objectives will be achieved. The controls in a computer system ensure effectiveness and efficiency of operations, reliability of financial reporting and compliance with the rules and regulations........................

Ireland

The report presents the findings of a value for money examination on the development of a human resource management system for the health service (PPARS). The examination looked at the outturn on the project in terms of cost, time and functionality. It also reviewed how the project was planned and governed including the adequacy of the business appraisal, how change management was handled and the arrangements for the procurement and management of consultancy and technical support services as well as the extent to which the expected benefits are being realised

Israel

The difficulty in managing and preserving electronic records produced by government authorities and in assuring access to them, is a challenge that requires appropriate preparation and organization. The issues raised in this report indicate the need for inter-ministerial collaboration for the creation of the necessary infrastructure for the preservation of electronic records. It would be proper for the government to address this matter.

The Accountant-General’s Department in the Finance Ministry has taken many important steps to promote Online Government. Nevertheless, government offices still do not do enough to provide services through the government’s Online Payment Service. Online Government Project must define its powers, work program and budgetary framework. In order to implement the project and assure its success, it is necessary to draw up an overall program encompassing all the relevant offices and services.

Nippon Telegraph and Telegraph Corporation’s Leased Line Recovery Service under-utilised many transmission circuits, for which the installation costs totalled ¥192 million. Audit report from Fiscal Year 1993.

South Korea

[Reports are available from the Audit Reports index page - please be patient while page loads and links activate)]

E-government project

April 2006

The objective of this audit was to help the Korean government undertake the e-Government project more efficiently by identifying issues or problems encountered while implementing the projects and figuring out possible solutions to such issues or problems.

To this end, the BAI audited 11 central administrations including the Ministry of Government Administration and Home Affairs (MOGAHA), four local governments and two organizations established by the government including the National Computerization Agency (NCA).

Korea is trying to establish a nation-wide broadband information and communication network. To comprehensively review the developments and analyze the shortcomings of those efforts, the Board of Audit and Inspection conducted an audit of 14 government agencies including the Ministry of Information and Telecommunication and the Ministry of Government Administration and Home Affairs.

Malta

This performance audit was carried out to determine whether the policy of introducing IT systems in school management was successfully realised and whether funds invested in the project were spent wisely.

Among other things the audit found that criteria for adjudicating the tender gave relatively little weight to technical and functional consideration; project planning was poor; ownership on the part of the Education Division was lacking; the project management structure was lacking in that specific positions and roles were not clearly defined; and project implementation was initially resisted by school heads and staff and was thus delayed.

Given this environment, the UK supplier failed to deliver a number of contracted deliverables. Only half of the modules of SIS were eventually delivered and these still carried severe defects.

project monitoring was not carried out properly. The composition and modus operandi of the Project Co-ordination Committee were not clearly defined;

the Functional Specification prepared by the contractor was deficient - there were no standards for preparing such documents at that time;

proper tendering procedures were not followed before entrusting the software development of Phase 1 of the project;

management control over the computerised system was weak and deficient. There were no established documentation, personnel and password policies. Physical and environmental access as well as logical access controls were unsatisfactory.

New Zealand

In October 2001, a report to the Ministry of Health by the Working to Add Value through E-information (WAVE) Advisory Board, known as the WAVE Report, brought together the health sector's recommendations for making more effective use of health information. The WAVE Report envisaged rapid change in 3 to 5 years, which is a demanding timetable.This report looks at the progress made by the Ministry of Health, District Health Boards, and the health sector. The sector's ability to access and exchange information quickly is increasingly important to the delivery of high quality health care, and Parliament's Health Committee has expressed concern about the extent of progress since the WAVE Report was published.

The public libraries of the five local authorities currently operate automated library management systems that are due for replacement or major upgrade in the near future.The five local authorities identified an opportunity to work together to evaluate the costs, benefits, and feasibility of jointly purchasing a replacement library management system and, if these are proven, to proceed to purchase, implement, and jointly operate the system.

Eight Auckland local authorities first began evaluating the possible benefits of working together at the end of 1999. At its meeting of September 2000, the Auckland Chief Executives Forum directed staff to establish a working party to report on E-Local Government in the Auckland region. In October 2000, a proposal was put to the forum for a working party that would establish a vision for E-Local Government in the Auckland region, draw up strategies, and identify net benefits from co-operation.

The agreement provided for IT servicing to the same standards as those adopted at Environment Bay of Plenty, help desk facilities to standard Environment Bay of Plenty response and escalation times, and Internet and e-mail support through a communications link to the Regional Council network.

The Regional Council Information Technology Consortium came about from an arrangement between Waikato and Horizons Regional Councils to exchange database modules. Horizons Regional Council briefed a group of regional councils on its information technology (IT) strategy, which led others to express interest in joining the Consortium. A number of factors led the other Regional Councils to join, including that:• it enabled them to upgrade their IT infrastructure; • they have common statutory responsibilities, information needs, and business processes; and • at the time, there were few software products available to meet the needs of Regional Councils

i. Governance and accountability: identifies the key players and roles in major IT projects, and discusses current practice and issues with these roles.

ii. Understanding IT projects: describes the environment within which IT projects operate, and the normal stages of projects. It discusses key issues with the conduct of IT projects, and concludes by commenting on project risks.

iii. Reasons for project success and failure: opens with an inventory of typical reasons for project success, and goes on to summarise the issues identified during the interviews on which this report is based. The issues are grouped under the headings of skills, behaviour and information; and we draw together the threads from the previous parts.

Norway

The National Insurance Administration can to only a limited extent document the achieved effective output of IT investments. Systems and procedures intended to secure returns from IT projects do not function satisfactorily. Deficiencies were revealed in the risk management, communication and follow-up of IT projects in the National Insurance Service.

An investigation by the Office of the Auditor General (the OAG) of the authorities’ efforts to safeguard IT infrastructure concludes that IT security work is characterised by the involvement of many parties and an unclear assignment of responsibility. Few planned measures have been implemented. The OAG is of the opinion that government protection measures against IT attack should be given the highest priority and that ministries must place more emphasis on attaining a coordinated and unified management and monitoring of IT security efforts

The audit revealed that there is no general IT strategy for the justice sector as a whole. A strategy of this nature would be able to help ensure that all the parts of the sector received the same management signals and gave priority to the same areas. This applies in particular to the forwarding of the signals regarding collaboration in order to achieve flow and reuse of information across the criminal justice chain. The IT strategies that have been developed for individual parts of the sector are approved on the departmental level in the Ministry. This can entail a risk of insufficient attention being paid to overall matters and inadequate connection to the first-order objectives for the sector.

Oman

In October 1999, the INTOSAI IT Audit Committee constituted a research team led by SAI-Oman for conducting a research study on how SAIs can use intranets for getting better value out of IT. The team prepared and circulated a research paper and a survey questionnaire to all INTOSAI members for their comments and responses. This research document was then finalised and circulated to INTOSAI members in 2001.

The mission of auditing SEN was inspired by the need to assess the current stage in the development, implementation and utilization of the information technologies and tools associated to the e-government and e-administration systems, currently available and supporting effective delivery of high quality electronic services to a broad spectrum: citizens, public administration and business environment.

The main evaluation criteria were the integration of the IT and its specific tools in the basic Information Society structures and the degree of compatibility with the European administrations as a requirement of the integration of Romania into the EU.

We sought assurance that the system as a whole included sufficient IT controls with respect to the associated risks, and the implementation was achieved only through the active participation of the highest management levels, due to the fact that the implementation of SEN requires not only vision but also a political management at the highest level.

The audit objective was to assess the system with respect to the management of the available resources (data, applications, technologies and facilities, human resources, etc.). to reach the objectives, while ensuring efficiency, confidentiality integrity, availability, reliability and conformity with a reference framework (standards, best practices, laws, etc.).

This report assesses the economy, efficiency and effectiveness of the IT services in the Ministry of Public Finances regarding the economic agents reports for their budgetary obligations, management of reimbursements and payment facilities grants, focusing especially on those aspects connected with VAT domain.

The audit was conducted at the Ministry of Education and Research, at the 42 scholar inspectorates together with a sample of 126 high-schools. This assessed the information technology platforms and the performance regarding the modernization of the teaching process.

The objective was to obtain a reasonable assurance concerning the deployment and the operating of the information system (the AEL - Assistant Education Learning - system), in accordance with the provision of the Programme IT-based Educational System, with the appropriate rules and settlements (regulations), and with specific security standards. An associated goal was also to evaluate the system through the performance in modernization of the teaching process.

The audit of the information system was performed over the specific controls dedicated to: management information system, physical security and environmental controls, security of information and of systems, systems continuity, change management, and internal audit.

Thailand

The Royal Thai Government aims to use IT to increase operational efficiency and effectiveness with the ultimate goal of serving citizens better. However, there has been evidence of IT project and program delay. One of the effective means to help improve the situation - aside from self-assessment - lies in the independent assessment of IT investments in the form of performance audit.

The Royal Thai Government aims to use IT to increase operational efficiency and effectiveness with the ultimate goal of serving citizens better. However, there has been evidence of IT project and program delay. One of the effective means to help improve the situation - aside from self-assessment - lies in the independent assessment of IT investments in the form of performance audit.

This report deals with 5 aspects of general controls over the computer systems:

Organisation, Management and Internal Audit;

Computer Operations;

Physical Security

Logical Security

System Backup and Contingency Plan.

The reports contains findings and recommendations on:

Security Administration;

Strengthening internal IT audit functions;

Reporting and solving operating problems;

Safeguarding computer resources;

Improving access controls;

Backup and secure disposal of important files and documents;

Contingency planning.

General Control Evaluation of the Revenue Department's Computer Systems (March 2001)

This report deals with 5 aspects of general controls over the computer systems:

Organisation, Management and Internal Audit;

Computer Operations;

Physical Security

Logical Security

System Backup and Contingency Plan.

The reports contains findings and recommendations on:

Strengthening internal IT audit functions;

Separation of Duties;

Backing up and safeguarding important files and documents;

Improving access controls;

Logging and security administration;

Contingency planning and standby computer centre.

General Control Evaluation of Land transport's Computer Systems (march 2001).

This report deals with 5 aspects of general controls over the computer systems:

The report examines the adequacy of public web sites as an indicator of the institutional capacity to deliver e-Government services established within the framework of the activities in eDTr Project (Transformation Turkey Project). In particular:

Are the public web sites (portals) structured so as to ensure that the public services in an electronic environment are delivered in a better way?

United Kingdom

Since the early 1990s, the Driver and Vehicle Licensing Agency (DVLA), Driving Standards Agency and the Vehicle and Operator Services Agency have made fifteen services available either through the internet, by telephone or through business to business computer systems. Services include applying for provisional driving licences, booking driving tests, taking driving theory tests and buying car tax. During 2006-07, some 50 million transactions were handled electronically. The report found that these developments have improved accessibility to these services and are expected to provide savings in the future. In addition there was scope to increase take up, make further efficiencies and generate savings.

The public sector should plan more carefully how it disposes of its growing volume of personal computers and associated equipment, according to a report out today by the National Audit Office. The efficient, legal and socially responsible disposal of such equipment is an increasingly important issue for the public sector. Many public bodies have limited information about the volume and condition of the equipment they dispose of. On average, public bodies replace their ICT equipment at around five years; commercial practice indicates that the optimal age to replace such equipment is more often at around three years of age, resulting in reduced operating costs and increased resale value for the equipment.

Today's report indicates that public bodies could potentially generate significant savings, through reduced operating costs and improved resale value, by following best commercial practice and disposing of equipment at three years. Further work is required, however, to more fully understand the costs and benefits involved in changing the way in which public bodies manage their ICT equipment and identify the optimal time to refresh their equipment.

Public bodies, however, need to consider more than the immediate financial value when developing their ICT equipment procurement and disposal strategy. With growing public concern about the environment, the report concludes that beyond consideration of immediate value there needs to be greater joined up thinking and leadership at the centre of Government about how best to secure value in the longer term. This includes the need to understand better the wider environmental costs and benefits from the acquisition, use and ultimate disposal of ICT equipment.

The NAO recommends that the public bodies at the centre of government with responsibilities in this area (the Office of Government Commerce, the Department for Environment, Food and Rural Affairs, the Department of Trade and Industry and the Environment Agency), should conduct a joint analysis of how to maximize the whole life value of public sector ICT equipment. This should consider:

opportunities to reduce the amount of ICT equipment currently being purchased, through a better understanding of how organisations and their staff use such equipment;

the wider environmental costs and benefits of moving to an earlier disposal age for ICT equipment;

whether more second hand and re-useable ICT equipment could be made available to other sectors (such as schools) through discounted resale or charitable donation; and

how the public sector can make better use of its purchasing power to bring about environmentally beneficial changes in the design and manufacture of ICT equipment.

In addition to value for money, public bodies also need to think about a range of other issues when disposing of ICT equipment. These include vulnerability to legal action, and loss of reputation and public trust if they fail to act properly or fail to maintain adequate oversight of the third parties they employ to resell or dispose of ICT equipment. These risks apply to three areas: environmental protection; data protection and security; and electrical safety. The NAO found that, while there are some areas of good practice, the majority of public bodies have little oversight of their ICT equipment disposal arrangements and therefore simply do not know how well these risks are being managed.

As a result the NAO recommends that public bodies should put in place the means to ensure they have oversight of their entire ICT equipment disposal chain (for example through regular audits and spot checks), so they are confident that all third parties are acting legally, responsibly and ethically.

The report found that many government websites tend to be text heavy and off-putting to the user. Internet users told the NAO that some government websites are complex to understand and navigate and information useful to them is often hard to find amongst large amounts of policy material not relevant to them.

Government is seeking to improve this situation through radically reducing the number of central government websites. This will be carried out by moving customer-facing online information into two main supersites Directgov and businesslink.gov.uk. This is designed to provide the public and businesses a simple and clear route to accessing information and performing transactions. The report shows that Directgov content and presentation were appreciated by citizens. This is a promising new initiative but it is an ambitious programme and needs to be carefully managed and kept under regular review.

Information on the cost of providing information online and user data also need to be improved. A third of departments and agencies have very little knowledge about how much their online provision of services is costing them. And most departments do not have sufficient information on who is using their sites and how they are being used.

The report highlights the potential for better web-based information: for example to inform choice such as finding schools for children or choosing NHS hospitals for operations.

The Identity and Passport Service had successfully completed its project to introduce electronic passports, or ePassports, on time and to the required international standards. However, longer term risks to value for money remain because of the newness of the technology and unknown performance of border control readers in high-volume situations.

Between May 2003 and the end of November 2006, the Identity and Passport Service spent £4.9 million on full-time consultants working on the ePassports project. Although the use of technical consultants contributed to the successful completion of the project, the use of consultants risks the loss of institutional knowledge for follow-on projects, such as second generation ePassports and identity cards. £3 million of the £4.9 million total consultancy spend was on non-technical consultants such as project managers, business analysts and administrators. The NAO estimates that at least £3.5 million could be saved over five years by using civil servants instead of consultants in these non-technical roles if proved possible to recruit them.

The National Programme’s scope, vision and complexity are wider and more extensive than any ongoing or planned healthcare IT programme in the world and it represents the largest single IT investment in the UK to date. It is designed to deliver important financial, patient safety and service benefits.

The report concluded that the main implementation phase of the Programme and the realisation of benefits are mainly a matter for the future and it will therefore be some time before it is possible fully to assess the value for money of the Programme, as this will depend on the progress made in developing and using the systems it is intended to provide. The NAO has examined progress to date in delivering the systems against the original plans and the costs of the Programme; the steps taken by the Department, NHS Connecting for Health and the NHS to deliver the Programme; how the IT systems have been procured; and how the NHS is preparing to use the systems delivered.

The NAO found that the Department and NHS Connecting for Health have made substantial progress with the Programme. There are significant challenges, especially in three key areas:

Ensuring that the IT suppliers continue to deliver systems that meet the needs of the NHS, and to agreed timescales without further slippage.

Ensuring that NHS organisations can and do fully play their part in implementing the Programme’s systems.

Winning the support of NHS staff and the public in making the best use of the systems to improve services.

The Department successfully completed the first major re-competition of a large public sector IT contract and transfer from one supplier to another without a loss in service to the taxpayer. In doing so they spent £75m on procurement and transition. The Department’s reason in this case to pay part of the bid costs and to contribute to the costs of transition was to encourage competition.The report highlights useful lessons from HM Revenue & Customs’ experience of ASPIRE for other government departments in re-competing major contracts and managing transitions.

The timetable to introduce the Single Payment Scheme was tight, and became tighter following changes to the original specification of the IT system to incorporate changes to EU Regulations, legal clarification of the Regulations, Ministerial decisions and operational changes such as the design of the application form. Nonetheless, difficulties within the Agency’s control contributed to delays in making payments. Each element of the IT system was tested, but the system was never tested as a whole before the scheme was introduced, and problems arose once it went live.

The report features some two dozen IT-enabled programmes and projects, from both the public and the private sectors, within the UK and overseas, which demonstrate how success can be achieved. The report identifies what Government can do to enhance the chances of bringing about IT success and represents a clear challenge to departments to take action to reduce the risk of failure and embrace innovation while safeguarding the taxpayer.

Improving IT procurement: The impact of the Office of Government Commerce's initiatives on departments and suppliers in the delivery of major IT-enabled projects

In 2002-03 UK central civil government spent £2.3 billion on IT. The history of failure of major IT-enabled projects has been characterized by overspends, delays, poor performance and abandonment of projects at major cost.

In response, the Office of Government Commerce introduced four initiatives:

Gateway Reviews, to provide independent assessments of IT-enabled projects at stages of the procurement cycle;

Centres of Excellence within departments, to provide a co-ordinating function for programme and project management;

The Successful Delivery Toolkit, bringing together best practice in a single reference point;

The Programme and Project Management Specialism and the Successful Delivery Skills Programme which aim to improve the commercial skills of departments.

The NAO found that these measures were improving IT procurement and should increase the likelihood of successful delivery. Recommendations included the need:

for OGC to review the impact of its non-Gateway Review activities, such as its Successful Delivery Toolkit, and

for departments to ensure that their Boards exercise clear leadership to make sure guidance is followed, skills are developed and maintained, risks properly identified and managed, and the rigour of the Gateway process becomes ingrained in departmental thinking.

Identifying and Tracking Livestock in England (.htm)

Identifying and tracking livestock helps to safeguard human and animal health, assist control farming subsidies, and improve the farming industry's commercial performance. The Department's Cattle Tracing System tracks the movements of individual cattle throughout Great Britain. It has helped protect the public from BSE by, for example, helping check the age of animals slaughtered for human consumption. However, there are a number of obstacles to obtaining greater benefits:

- there are inaccuracies in the information reported: for example, a quarter of postal applications for cattle passports include an error and movement records are incomplete for one in eight animals, with the result that the current location of two per cent of cattle is uncertain;

- movement information is not fully up to date, because the deadlines for reporting are not always respected and because most are still reported by post. For example, a fifth of cattle movements are notified after the 3 day deadline and around five per cent are reported over five weeks late;

- there are increased costs to the government of at least £15 million a year as a result of the inaccuracy of information reported and keepers' continued reliance on postal or e-mail notification.

The Department is therefore encouraging keepers to make greater use of electronic methods of notification, especially the internet service CTS Online, whichcan check information before it is allowed on the system.

Transforming performance of HM Customs and Excise through electronic service delivery (.htm)

HM Customs and Excise's major programme to use e-technology to improve the efficiency of their business operations and services, although at an early stage, is already showing signs of being able to transform the Department's performance. However, there are big risks in implementing a programme of this size. The report sets out recommendations that Customs should take to address them.

Inland Revenue: Standard Report 2002-2003 – Tax Credits (.htm)

In April 2003 the Inland Revenue introduced the New Tax Credits, but the systems did not work as intended, causing problems for claimants, employers and the Department. There were serious problems with system performance from April, which affected:

- stability (staff could not complete the processing of claims and had to start again);

- speed (staff had to wait too long to access information and records);

- availability (significant time in the working day was lost when the system was closed down to clear internal queues).

According to the Revenue and EDS, their IT service provider, the nature of the regime for testing the system meant that underlying technical faults could not have been discovered and corrected in testing although more testing might have reduced the effects of some of the problems. They were considering what lessons could be learned about technical system design and testing strategy, including the effects of a compressed testing timetable. The Department consider that they will have recovered much of the lost ground by March 2004 but will not be fully back on track until the end of 2004-2005.

GCHQ houses one of Europe's largest computer complexes and its new accommodation exhibits radical differences from most office building projects. To sustain the flow of vital intelligence to the Government, GCHQ retained responsibility for moving its technical capability into the new building. In doing so, GCHQ failed initially to consider all the implications of the move. As a result estimates for the technical move increased more than ten fold from £40M to £450M.

PPP in practice: National Savings and Investments' deal with Siemens Business Services, four years on

This report shows that there are alternatives to bailing out the private sector. NS&I and Siemens Business Services have learnt valuable lessons in the operation of this project, which are pertinent to other public-private sector partnerships. A whole business approach, where decisions are based on what is best for the business rather than what is best for either the public and private sectors, needs to be adopted if the public and private sectors are to achieve their objectives, and the private sector needs to recognize the management challenge that PFI represents.

In 2001-02 departments spent around £610 million on software, £100 million of which was spent on over one million software licences. The Office of Government Commerce (OGC) has negotiated software licensing agreements with IT suppliers that have secured savings for the taxpayer, but departments have been slow to take them up. Of 66 departments surveyed, 10 estimated that they would save some £5.4 million by using the agreements. Departments should also maintain reliable information on their licences and regularly check that no unlicensed software is being used.

Departments should also consider the total cost of ownership when purchasing major upgrades or new systems; such costs involve installing the system, retesting, resolving problems and training users.

This innovative scheme was aimed at widening participation in learning and helping to overcome financial barriers faced by learners, particularly those who lack skills and qualifications, but concerns that some providers were abusing the system led to the scheme being withdrawn. Had it not been closed the value of fraudulent claims could have run into tens of millions of pounds. 98 cases of suspected fraud are being investigated by the police, but because of the volume and complexity it may be two years before the full cost of fraud and abuse will be known.

The poor security of the online systems was a prime cause of thedifficulties suffered. There were no procedures to archive log files to identify misuse of the online system, structured mechanisms and procedures were not in place to identify patterns of fraud, and there were no procedures to check that there was adequate security provision in the system.

Progress in making e-services accessible to all – encouraging use by older people.

More needs to be done to encourage older people – an increasingly large proportion of the population - to use government e-services if those services are to provide value for money.

The report covers e-services in several forms. Most public organisations now have websites, and some also provide services via call centres, electronic kiosks and digital TV. Up to now, though, older people have tended to use e-services far less than younger people. While this may be changing slowly, barriers to increased use include the physiological effects of ageing, lack of confidence or familiarity with new technologies, cost, location and a belief by older people that e-services are of no relevance to them.

A national standard IT system for magistrates’ courts has been under development for over ten years but is still incomplete. The cost of the Libra project to service 385 magistrates courts soared from £146m to £390m, and the main supplier twice threatened to withdraw unless it was paid more money.

Commenting on the UK NAO's report, the Chairman of the Public Accounts Committee, said "The Libra project is one of the worst IT projects I have ever seen. It may also be the shoddiest PFI project ever."

The NAO report Better Public Services Through e-Government (HC 704,Session 2001-02) examined progress in improving the management of IT projects across the public sector and the potential gains to be made from electronic service delivery. This report focuses on how government organisations have changed the way that they plan and provide Internet-based services and interactions since 1999. We look at in-depth case studies of Internet-based services in two departments, HM Customs and Excise and the Department for Transport, Local Government and the Regions. And we analyse central policy and initiatives undertaken principally by the Office of the e-Envoy.

This report considers (i) departments' progress in achieving e-government; (ii) the risks that need to be managed; and (iii) sets out the benefits of e-government with examples of how they can be achieved. The report highlights good practice which if more widely applied could help departments achieve the benefits of e-government. Our findings are based on an examination of 13 IT-enabled change projects being implemented by departments and other public and private sector organisations.

The Inland Revenue is at the forefront of the development of e-services in the public sector and their experience acts as a valuable exemplar to other Government departments. This report focuses on the take up of existing services and what is being done to improve those available to business and individuals.

The Inland Revenue, when required to make major enhancements to its national insurance computer system (NIRS 2) to accommodate significant legislative changes, decided to award a contract extension to Accenture, its existing supplier. And, according to a report from the National Audit Office, published today, the contract extension:

offered better value for money than the alternatives available for delivering the required enhancements on time; and

improved the way in which the development work is managed and paid for.

The report to Parliament by NAO head Sir John Bourn highlights lessons for departments engaged in similar IT projects. It recommends, in particular, that departments must understand what the impact would be on their computer systems of major legislative changes - and develop strategies to manage the risks. 14 November 2001- ISBN: 0102912297

Poor specification of expected outputs, weaknesses in service monitoring and inadequate control of purchasing contribute to a 70% overspend on a new government computer system. ISBN: 0102909016, HC 401, 2000-2001.

United States

Department of Homeland Security's (DHS) capital investment plan for implementing its architecture is not based on a transition plan and is missing key information technology (IT) investments. Thus, the plan does not provide a comprehensive roadmap for transitioning the department to a target architectural state. Also, the plan does not account for all of DHS's planned investments in IT (excluding about $2.5 billion in planned IT investments). Without an architecture that is complete, internally consistent, and understandable, the usability of the DHS's EA is diminished, which in turn limits the department's ability to guide and constrain IT investments in a way that promotes interoperability, reduces overlap and duplication, and optimizes overall mission performance.

The Department of Homeland Security (DHS) fiscal year 2006 appropriations act provided $40.15 million for the Immigration and Customs Enforcement's (ICE) program to modernize its IT infrastructure (program ATLAS). GAO (1) determined whether the plan satisfies certain legislative conditions and (2) provided other observations about the plan and management of the program.

The fiscal year 2006 Atlas expenditure plan, in combination with related program documentation and program officials' statements, satisfies or partially satisfies the legislative conditions set forth by Congress. This satisfaction, however, is based on plans and commitments that provide for meeting these conditions rather than on completed actions to satisfy them. For example, to address the legislative condition related to capital planning and investment control review requirements, the program plans to, among other things, update its cost-benefit analysis in September 2007 to reflect emerging requirements and other program changes and to complete a privacy impact assessment by April 2007. In addition, the program is in the process of defining how it plans to use its independent verification and validation agent. GAO also observed that DHS has not implemented key system management practices. Specifically, (1) rigorous practices are not being fully adhered to in developing and managing system requirements, (2) key contract management and oversight controls have not been fully implemented, (3) planned risk management practices have yet to be implemented, and (4) performance management practices that are critical to measuring progress against program goals are still being implemented. Thus, much still needs to be accomplished to minimize the risks associated with the program's capacity to deliver promised IT infrastructure capabilities and benefits on time and within budget. It is essential that DHS follow through on its commitments to build the capability to effectively manage the program. Proceeding without it introduces unnecessary risks to the program and potentially jeopardizes its viability for future investment.

Department of Homeland Security (DHS) has established the management structure to effectively manage its investments. However, the department has yet to fully define 8 of the 11 related policies and procedures that GAO's ITIM framework defines. Until DHS fully implements processes to control its investments, both at the project and portfolio levels, it increases the risk of not meeting cost, schedule, benefit, and risk expectations.

Department of Health and Human Services (HHS) has identified no detailed plans, milestones, or time frames for either its broad effort to encourage IT in health care nationwide or its specific objective to promote the use of health IT for quality data collection.

The report describes the steps HHS is taking to ensure privacy protection as part of its national health IT strategy and identifies challenges associated with protecting electronic health information exchanged within a nationwide health information network.

The Navy Marine Corps Intranet (NMCI) is a 10-year, $9.3 billion information technology services program. The Navy has met only 3 of 20 performance targets (15 percent) associated with the program's goals and nine related performance categories. After investing about 6 years and $3.7 billion, NMCI has yet to meet expectations, and whether it will is still unclear.

prevent the introduction of unauthorized changes to application or system software; and

ensure that work responsibilities for computer functions are segregated so that one individual does not perform or control all key aspects of computer-related operations and, thereby, have the ability to conduct unauthorized actions or gain unauthorized access to assets or records without detection.

The objective of the review was to assess the effectiveness of information system controls in ensuring the confidentiality, integrity, and availability of Treasury’s financial and sensitive auction information on key mainframe and distributed-based systems that the FRBs maintain and operate on behalf of BPD and that are relevant to the Schedule of Federal Debt. The assessment included a review of the supporting network infrastructure that interconnects the mainframe and distributed-based systems.

Information security controls over the communication network were ineffective in protecting the confidentiality and availability of information and information resources. Although the Centers for Medicare & Medicaid Services (CMS) had many information security controls in place that had been designed to safeguard the communication network, key information security controls were missing. In addition, the controls that were in place had not always been effectively implemented. Specifically, CMS did not always ensure that its contractor effectively implemented controls designed to prevent, limit, and detect electronic access to sensitive computing resources and to devices used to support the communication network. For example, the network had control weaknesses in areas such as user identification and authentication, user authorization, system boundary protection, cryptography, and audit and monitoring of security-related events. Taken collectively, these weaknesses place financial and personally identifiable medical information transmitted on the network at increased risk of unauthorized disclosure and could result in a disruption in service. A key reason for these weaknesses is that CMS did not always ensure that its security policies and standards were fully implemented.

Overall, the Securities and Exchange Commission (SEC) has not effectively implemented information security controls to properly protect the confidentiality, integrity, and availability of its financial and sensitive information and information systems. In addition to the 43 previously reported weaknesses that remain uncorrected, GAO identified 15 new information security weaknesses. A key reason for SEC’s information security controls weaknesses is that the commission has not fully developed, implemented, or documented key elements of an information security program to ensure that effective controls are established and maintained. Until SEC implements such a program, its facilities and computing resources and the information that is processed, stored, and transmitted on its systems will remain vulnerable.

Although the Internal Revenue Service (IRS) has made progress, controls over its key financial and tax processing systems located at two sites were ineffective. In addition to the 40 previously reported weaknesses for which IRS has not completed actions, GAO identified new information security control weaknesses that threaten the confidentiality, integrity, and availability of IRS’s financial information systems and the information they process. For example, IRS has not implemented effective electronic access controls related to network management, user accounts and passwords, user rights and file permissions, and logging and monitoring of security-related events. In addition, it has not effectively implemented other information security controls to physically secure computer resources, and to prevent exploitation of vulnerabilities and unauthorized changes to system software.

FBI Is Taking Steps to Develop an Enterprise Architecture, but Much Remains to Be Accomplished.

The FBI is managing its Enterprise Architecture (EA) program in accordance with many best practices, but other such practices have yet to be adopted. These best practices, which are described in GAO’s EA management maturity framework, are those necessary for an organization to have an effective architecture program. Examples of practices that the bureau has implemented include establishing a program office that is responsible for developing the architecture, having a written and approved policy governing architecture development, and continuing efforts to develop descriptions of the FBI’s “as is” and “to be” environments and sequencing plan. The establishment of these and other practices represents important progress from the bureau’s status 2 years ago, when GAO reported that the FBI lacked both an EA and the means to develop and enforce one. Notwithstanding this progress, much remains to be accomplished before the FBI will have an effective EA program. For example, the EA program office does not yet have adequate resources, and the architecture products needed to adequately describe either the current or the future architectural environments have not been completed. Until the bureau has a complete and enforceable EA, it remains at risk of developing systems that do not effectively and efficiently support mission operations and performance.

For 2005 budget, Office of Management and Budget (OMB) developed processes and criteria for including IT projects (investments) on its Management Watch List. In doing so, it identified opportunities to strengthen investments and promote improvements in IT management. However, OMB did not develop a single, aggregate list identifying the projects and their weaknesses. Instead, OMB officials told us that individual OMB analysts used scoring criteria established in the office’s Circular A-11 for evaluating the justifications for funding (known as exhibit 300s) that are submitted by federal agencies. OMB delegated individual analysts on its staff, each of whom is typically assigned responsibility for several federal agencies, with maintaining, for their respective agencies, information for the IT projects included on the list. To derive the 621 total of projects on the list that OMB reported for fiscal year 2005, OMB polled its individual analysts and compiled the numbers. OMB officials told us that they did not construct a single list of projects meeting their watch list criteria because they did not see such an activity as necessary for performing OMB’s predominant mission: to assist in overseeing the preparation of the federal budget and to supervise agency budget administration. Thus, OMB did not exploit the opportunity to use the list as a tool for analyzing IT investments on a government-wide basis, limiting its ability to identify and report on the full set of IT investments requiring corrective actions.

The Securities and Exchange Commission (SEC) has not effectively implemented information system controls to protect the integrity, confidentiality, and availability of its financial and sensitive data. Specifically, the commission had not consistently implemented effective electronic access controls, including user accounts and passwords, access rights and permissions, network security, or audit and monitoring of security-relevant events to prevent, limit, and detect access to its critical financial and sensitive systems. In addition, weaknesses in other information system controls, including physical security, segregation of computer functions, application change controls, and service continuity, further increase risk to SEC’s information systems. As a result, sensitive data — including payroll and financial transactions, personnel data, regulatory, and other mission critical information—were at increased risk of unauthorized disclosure, modification, or loss, possibly without detection.

Smart cards—plastic devices about the size of a credit card—use integrated circuit chips to store and process data, much like a computer. Among other uses, these devices can provide security for physical assets and information by helping to verify the identity of people accessing buildings and computer systems. They can also support functions such as tracking immunization records or storing cash value for electronic purchases. Government adoption of smart card technology is being facilitated by the General Services Administration (GSA), which has implemented a government-wide Smart Card Access Common ID contract, which federal agencies can use to procure smart card products and services.

Flaws in software code can introduce vulnerabilities that may be exploited to cause significant damage to information systems. Such risks continue to grow with the increasing speed, sophistication, and volume of reported attacks, as well as the decreasing period of the time from vulnerability announcement to attempted exploits. The process of applying software patches to fix flaws--patch management—is critical to helping secure systems from attacks.

SAn overall cybersecurity framework can assist in the selection of technologies for CIP. Such a framework can include (1) determining the business requirements for security; (2) performing risk assessments; (3) establishing a security policy; (4) implementing a cybersecurity solution that includes people, processes, and technologies to mitigate identified security risks; and (5) continuously monitoring and managing security. Even with such a framework, other demands often compete with cybersecurity. For instance, investing in cybersecurity technologies often needs to make business sense. It is also important to understand the limitations of some cybersecurity technologies. Cybersecurity technologies do not work in isolation; they must work within an overall security process and be used by trained personnel. Despite the availability of current cybersecurity technologies, there is a demonstrated need for new technologies. Long-term efforts are needed, such as the development of standards, research into cybersecurity vulnerabilities and technological solutions, and the transition of research results into commercially available products.

The Social Security Administration (SSA) is continuing its work on the AeDib initiative and is in various stages of completing its electronic disability system; however, its accelerated strategy continues to involve risks. Specifically, GAO found that the agency is relying on limited pilot testing to help guide business and technical decisions and ensure that technology supporting the electronic disability system will work as intended (see table). Further, it is beginning its national rollout without ensuring that all critical problems identified in the pilot testing have been resolved and without conducting testing adequate to evaluate the performance of all system components collectively. Without resolution of critical problems and full testing, SSA cannot be assured that interrelated components will work together successfully.

Significant, pervasive information security control weaknesses exist at U.S. Department of Agriculture (USDA), including serious access control weaknesses, as well as other information security weaknesses. Specifically, USDA has not adequately protected network boundaries, sufficiently controlled network access, appropriately limited mainframe access, or fully implemented a comprehensive program to monitor access activity. In addition, weaknesses in other information security controls, including physical security, personnel controls, system software, application software, and service continuity, further increase the risk to USDA’s information systems. As a result, sensitive data—including information relating to the privacy of U.S. citizens, payroll and financial transactions, proprietary information, agricultural production and marketing estimates, and mission critical data—are at increased risk of unauthorized disclosure, modification, or loss, possibly without being detected.

Information Security: Status of Federal Public Key Infrastructure Activities at Major Federal Departments and Agencies.

In 2001, GAO reported that the federal government faces a number of challenges in deploying PKI technology (GAO-01-277). GAO was requested to follow up this work by (1) determining the status of federal PKI activities, including initiatives planned or under way at 24 major federal departments and agencies, as well as the status and planned activities of the Federal Bridge Certification Authority and Access Certificates for Electronic Services programs, and (2) identifying challenges encountered by the 24 agencies in implementing PKI initiatives since the 2001 report was issued.

Hearing on Worm and Virus Defense: How Can We Protect Our Nation's Computers From These Serious Threats?

PADC is a service offered by Department of Homeland Security's Federal Computer Incident Response Center (FedCIRC) that provides federal agencies with information on trusted, authenticated patches for their specific technologies without charge. The Director of FedCIRC reported that as of September 10, 2003, 47 agencies subscribed to PADC. However, the Office of Management and Budget has reported that while many agencies have established PADC accounts, actual usage of these accounts is extremely low.

Attacks on computer systems in government and the private sector are increasing at an alarming rate, placing both federal and private-sector operations and assets at considerable risk. By exploiting software vulnerabilities, hackers can cause significant damage. While patches, or software fixes, for these vulnerabilities are often well publicized and available, they are frequently not quickly or correctly applied. The federal government recently awarded a contract for a government-wide patch notification service designed to provide agencies with information to support effective patching. Forty-one agencies now subscribe to this service. At the request of the Chairman of the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, GAO reviewed (1) two recent software vulnerabilities and related responses; (2) effective patch management practices, related federal efforts, and other available tools; and (3) additional steps that can be taken to better protect sensitive information systems from software vulnerabilities.

Electronic Government: Potential Exists for Enhancing Collaboration on Four Initiatives

In accordance with the President’s management agenda, the Office of Management and Budget has sponsored initiatives to promote expansion of electronic government—the use of information technology, particularly Web-based Internet applications, to enhance government services. Each initiative demands a high degree of collaboration among organizations. For four of these initiatives, GAO was asked to determine, among other things, their implementation progress and the extent of collaboration among agencies and other parties involved.

Electronic Government: Challenges to the Adoption of Smart Card Technology

The federal government is making increasing use of smart cards (credit card-like devices that use integrated circuit chips to store and process data) to improve the security of its many physical and information assets. Besides better authenticating the identities of people accessing buildings and computer systems, smart cards offer a number of potential benefits and uses, such as creating electronic passenger lists for deploying military personnel, and tracking immunization and other medical records. However, agency managers face a number of substantial challenges in implementing smart card systems successfully, which have slowed their adoption in the past and continue to be factors in smart card projects.

Biometric technologies are available today that can be used in security systems to help protect assets. However, it is important to bear in mind that effective security cannot be achieved by relying on technology alone. Technology and people must work together as part of an overall security process. Weaknesses in any of these areas diminishes the effectiveness of the security process. We have found that three key considerations need to be addressed before a decision is made to design, develop, and implement biometrics into a security system:

1. Decisions must be made on how the technology will be used.

2. A detailed cost-benefit analysis must be conducted to determine that the benefits gained from a system outweigh the costs.

3. A trade-off analysis must be conducted between the increased security, which the use of biometrics would provide, and the effect on areas such as privacy and convenience.

At the request of the Chairman of the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, GAO reviewed (1) two recent software vulnerabilities and related responses; (2) effective patch management practices, related federal efforts, and other available tools; and (3) additional steps that can be taken to better protect sensitive information systems from software vulnerabilities.

Records Management: National Archives and Records Administration's Acquisition of Major System Faces Risks.

Increasingly, government records involve documents that are electronically created and stored. In support of its mission to manage and archive these records and ensure access to the "essential evidence" that they contain, the National Archives and Records Administration (NARA) is acquiring an advanced Electronic Records Archives (ERA). GAO was asked to determine, among other things, how the ERA program's system acquisition policies, plans, and practices conform to industry standards and how well NARA is meeting the ERA program's cost and schedule.

"Pay.gov" is an Internet portal sponsored and managed by the Department of the Treasury’s Financial Management Service (FMS) and operated at three Federal Reserve facilities. Pay.gov is intended to allow the public to make certain non-income-tax payments to the federal government securely over the Internet. FMS estimates that Pay.gov eventually could annually process 80 million transactions valued at $125 billion annually.

The GAO found that FMS had not fully assessed the risks associated with the Pay.gov initiative. Although the agency prepared a business risk assessment for the Pay.gov application, it had not fully assessed the risks associated with Pay.gov computing environment. Insufficiently assessing risks can lead to implementing inadequate or inappropriate security controls.

The Privacy Act regulates how federal agencies may use the personal information that individuals supply when obtaining government services or fulfilling obligations; for example, applying for a small business loan or paying taxes. Based on responses from 25 selected agencies to GAO surveys, compliance with Privacy Act requirements and Office of Management and Budget (OMB) guidance is generally high in many areas, but it is uneven across the federal government.

(Testimony Before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, Committee on Government Reform, House of Representatives).

Complex electronic records are being created in volumes that make them difficult to organize and keep accessible. These problems are compounded as computer hardware, application software, and even storage media become obsolete, as they may leave behind electronic records that can no longer be read. As a result, valuable government information may be lost.

Geographic information systems (GIS) that manipulate, analyze, and graphically present an array of information associated with geographic locations, have been invaluable to all levels of government. Their usefulness in disaster response was demonstrated recently during the Space Shuttle Columbia recovery effort. GIS provided precise maps and search grids to guide crews to the debris that was strewn across 41counties in Texas and Louisiana.

In 1994, the National Spatial Data Infrastructure (NSDI) program was established to address the problem of the redundancy and incompatibility of geospatial information on a national basis. Although efforts to build NSDI are progressing, achieving the vision of a nationwide GIS network remains a challenging and time-consuming task, and achieving full participation across governments in their development has also been difficult.

D.O.D. Needs to Leverage Lessons Learned from Its Outsourcing Projects.

Although DOD has acted on gathering and disseminating lessons learned and commercial leading practices related to general acquisition issues, its actions have generally not been focused on outsourcing or on sharing the lessons learned from IT services outsourcing across the department. By not systematically capturing and disseminating such information across the department, DOD is losing the opportunity to leverage the knowledge gained on IT services projects like those in GAO’s review.

An enterprise architecture provides a clear and comprehensive picture of the structure of an entity, whether an organization or a functional or mission area. It is an essential tool for effectively and efficiently engineering business processes and for implementing and evolving supporting systems. We offer here the first update to our maturity framework for enterprise architecture management. Its purpose is to provide federal agencies with a common benchmarking tool for planning and measuring their efforts to improve enterprise architecture management, as well as to provide the Office of Management and Budget with a means for doing the same government wide.

The Department of Defense relies on a broad array of intelligence systems to study the battlefield and identify and hit enemy targets. These systems include reconnaissance aircraft, satellites, and ground-surface stations that receive, analyze, and disseminate intelligence data. At times, these systems are not interoperable, either for technical reasons (such as incompatible data formats) and/or operational reasons. Such problems can considerably slow down the time to identify and analyze a potential target and decide whether to attack it.

GAO reviewed the use of smart cards across the federal government (including identifying potential challenges), as well as the effectiveness of the General Services Administration in promoting government adoption of smart card technologies. The review found that progress has been made in implementing smart card technology; as of November 2002, 18 federal agencies had reported initiating a total of 62 smart card projects. These projects have provided a range of benefits and services, ranging from verifying the identity of people accessing buildings and computer systems to tracking immunization records.

The Immigration and Naturalization Service (INS), a Justice agency, invested about $459 million in IT in fiscal year 2002. GAO was asked to determine whether there had been effective oversight of key INS IT system investments to ensure that they delivered promised capabilities and benefits on time and within budget - there had not.

Assessing the Reliability of Computer-Processed DataGAO-03-273G, October 2002

Computer-processed data, often from external sources, increasingly underpin audit reports, including evaluations (performance audits) and financial audits. Therefore, the reliability of such data has become more and more important. This guidance is intended to demystify the assessment of computer-processed data.

Companies have developed "computer conduct" policies and implement strategies to monitor their employees' use of e-mail, the Internet, and computer files. The companies covered in this report had policies that contained most of the elements experts agree should be included in company computer-use polices.

Since September 1996, the Federal Aviation Administration (FAA) has been developing the Standard Terminal Automation Replacement System (STARS) project to replace the outdated computer equipment that air traffic controllers currently use in some facilities to control air traffic within 5 to 50 nautical miles of an airport. This audit addressed the questions:

- How do the currently projected cost and deployment schedule for STARS compare with the original cost and schedule?

- How often has FAA changed its approved estimates?

- How has FAA responded to the DOT IG’s concerns about the agency’s plans for deploying STARS in Philadelphia?

- What has been the impact of changes in the schedule for deploying STARS?

In the fiscal year 2002 appropriations act covering the Executive Office of the President, the Congress limited the office’s use of systems modernization funds pending a report to the House and Senate Committees on Appropriations that included an enterprise architecture; an IT capital planning and investment control process; a capital investment plan; and an IT human capital plan.

The report was to be approved by the Office of Management and Budget (OMB) and reviewed by the GAO.

DOD does not have a well-defined process, including clear requirements, for certifying and authorizing telecom switches. The process is not fully documented, current, or complete and DOD has not applied its telecom switch certification and authorization process consistently across vendors, and sometimes violated policy. DOD's application of its telecom switch certification and authorization process is influencing vendors' plans for competing for the department's business.

On April 9, 2002, GAO testified on the Internal Revenue Service's (IRS) fiscal year 2003 budget request. Although IRS had adequately justified its $450 million Business Systems Modernization request, it did not develop its $1.63 billion information systems operations and maintenance request in accordance with the best practices of leading private- and public-sector information technology organizations. See GAO-02-580T.

Agencies are increasingly moving to an electronic environment rather than paper records. Because electronic records provide comprehensive documentation of essential government functions and provide information necessary to protect government and citizen interests, their proper management is essential.

Customs’ February 2002 ACE spending plan is the second in a series of legislatively required plans. This plan covers certain project management tasks as well as the definition, design, and development of the first ACE increment. GAO found that investment in ACE is a high-risk endeavor for several reasons:

The system’s size, performance parameters, and organizational impact make it technically and managerially complex.

Customs fell far short of key commitments made in its first spending plan because it severely underestimated costs.

Customs has recently decided to compress its time frame for delivering the system from 5 to 4 years.

Challenges to Effective Adoption of the Extensible Markup Language GAO-02-327 April 5, 2002

The Extensible Markup Language (XML) is a flexible, nonproprietary set of standards for annotating or "tagging" information so that it can be transmitted over a network such as the Internet and readily interpreted by disparate computer systems.1 It is increasingly being promoted by information technology (IT) developers as the basis for making computerized data much more broadly accessible and usable than has previously been possible. As a result, many organizations, including both private businesses and federal government agencies, are building applications that try to take advantage of XML’s unique features. Given the widespread interest in adopting this new technology, the chairman of the Senate Committee on Governmental Affairs asked GAO to assess (1) the overall development status of XML standards to determine whether they are ready for government-wide use and (2) challenges faced by the federal government in optimizing its adoption of XML technology to promote broad information sharing and systems interoperability.

This report presents a generic framework of IT acquisition practices from leading commercial firms. Grouped into seven phases, the practices and underlying critical success factors provide the underpinnings for an effective IT.

Information sharing and coordination are key elements in any defense against cyber attacks. The organizations GAO reviewed identified factors they considered critical to their success in building successful information-sharing relationships with and among their members.

Management of the U.S. Postal Service's (USPS) e-commerce program has been fragmented, and implementation of e-commerce initiatives has varied at different business units. Overall, USPS' performance in this area has fallen short of expectations.